[ovirt-users] Info on changing IPA server hostname in oVirt

Gianluca Cecchi gianluca.cecchi at gmail.com
Wed Dec 10 21:22:27 UTC 2014 

On Wed, Dec 10, 2014 at 9:25 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:

>
>
> 2014-12-10 19:03:16,554 ERROR
> [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
> 1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize
> LDAP framework, deferring initialization. Error: no such object
>
> This is interesting I never saw this error, can I ask you to enable debug?
>
> Edit:
> /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in
>
> Add the following before the <root-logger> line:
>        <logger category="org.ovirt.engineextensions.aaa.ldap">
>          <level name="ALL"/>
>        </logger>
>
> Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO
>       <file-handler name="ENGINE" autoflush="true">
>         <level name="ALL"/>
>
> Then restart engine and we should see lots of messages within engine.log.
>
> Thanks!
> Alon
>


Hi,
if you want I send it to you... but I have understood....
I didn't change the domain parameters, leaving inside the
file /etc/ovirt-engine/aaa/ldap1.properties
dc=company,dc=com
and changing only the "uid=..." part ;-)

In fact inside IPA log files I see this:

[10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line
1296]: Not handled (could not search for BIND dn
uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such
object)
[10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line
503]: Failed to retrieve entry
"uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
[10/Dec/2014:22:01:54 +0100] ipalockout_preop - [file ipa_lockout.c, line
749]: Failed to retrieve entry
"uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
[10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line
1296]: Not handled (could not search for BIND dn
uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such
object)
[10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line
503]: Failed to retrieve entry
"uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32


After putting correct values
dc=localdomain,dc=local
and restarting the engine (without debug symbols)

all is ok and I can both search users and groups in ldap1 and connect to
the engine webadmin portal with apparently correct privileges (only limited
tests done).

Thanks and sorry for misundersanding...
two questions:
1) What about the legacy still working?

2) I see that the connection with ldap apparently is through 389 port and
so in unencrypted mode.
What should I configure to enable ldaps:// connection mode as this is
sensitive information?

Possibly these lines in ldap1.properties?

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
#pool.default.ssl.truststore.password = changeit

but how to use and where to put eventually the IPA certificate?
Do I have to convert IPA ca.crt into some other format?

Gianluca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20141210/8b0c92b2/attachment-0001.html>

More information about the Users mailing list